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A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 
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DETAILED ACTION 

1. This action is responsive to communication: filed on 25 June 2007 with 
acknowledgement of an original application filed on 26 August 2003. 

2. Claims 1-21, 23-31, and 33-51 are currently pending in this application. Claims 1,11, 
21, 31, and 41-45 are independent claims. Claims 21,31, 43, and 44, have been amended. 
Claims 22 and 32 have been canceled. Claims 46-51 are new. Amendments to the claims are 
accepted. 

Response to Arguments 

3. Applicant's arguments filed 03 July 2007 have been fully considered however they are 
moot due to the new grounds of rejection below. 

Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 
122(b), by another filed in the United States before the invention by the applicant for 
patent or (2) a patent granted on an application for patent by another filed in the United 
States before the invention by the applicant for patent, except that an international 
application filed under the treaty defined in section 351(a) shall have the effects for 
purposes of this subsection of an application filed in the United States only if the 
international application designated the United States and was published under Article 
21(2) of such treaty in the English language. 

5. Claims 1-4, 6-9, 11-14, 16-18, 20, 21, 23, 24, 26-28, 30, 31, 33, 34, and 36-50, are 

rejected under 35 U.S.C. 102(e) as being anticipated by Kompella US Patent No. 7,136,374 
(hereinafter '374). 
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As to independent claim 1, "In a first node of a physical network supporting 
multiple virtual network connections, a method to dynamically modify configuration data 
supporting virtual networks, the method comprising:" is taught in '374 col 4, lines 14-20 
and'374 col. 6, lines 25-30; 

"receiving i) network address information associated with at least one host 
computer" the Examiner takes Official Notice that the network address of a host computer is 
inherent with virtual private network (VPN) communications; 

"and ii) a corresponding gateway identifier of a gateway in the physical network 
generating a notification message including the network address information and the 
corresponding gateway identifier; and" is shown in '374 col. 4, lines 18-27 as well as shown 
in FIG. 3, which is pasted below, note the notification message is the advertisement; 
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"transmitting the notification message to a second node of the physical network 
enabling the second node to establish a virtual network connection between the second 
node and the first node on which to forward data messages to the at least one host 
computer based on the corresponding gateway identifier" is disclosed in '374 col. 7, 
lines 40-56, note the 'destination customer device' is interpreted to be equivalent to the 'at least 
one host computer;. 

As to dependent claim 2, "wherein generating a notification message further 
comprises: generating at least a portion of the notification message in accordance with a 
distribution protocol utilized by service providers to disseminate routing policy 
information to customer edge nodes; and wherein transmitting a notification message 
includes: transmitting the network address information and the corresponding gateway 
identifier as an appendix to the notification message" is taught in '374 col. 7, lines 40-50 and 
col. 9, line 54 through col. 10, line 47.. 

As to dependent claim 3, "wherein the distribution protocol is based at least in part 
on an interautonomous system routing protocol and the virtual network connection 
between the second node and the first node is a virtual private network connection overlaid 
on the physical network, one end of the virtual private network connection terminating at 
the gateway identified by the corresponding gateway identifier" is shown in '374 col. 15, line 
44 through col. 16, line 28, note BPG version 4 is an interautonomous routing protocol. 

As to dependent claim 4, "further comprising: transmitting routing policy attribute 
information in addition to the network address information and corresponding gateway 
identifier to the second node to more particularly define a policy for routing the data 
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messages on a corresponding virtual network connection through the gateway to the at 
least one host computer" is disclosed in '374 col. 3, lines 45-57 and col. 7, lines 35-56. 

As to dependent claim 6, "wherein transmitting the network address and identifier 
includes: delivering the notification message including the network address and 
corresponding gateway identifier to multiple customer edge nodes of the physical network, 
each customer edge node updating its corresponding configuration data for establishing 
private networks between the customer edge nodes based on the network address and 
corresponding gateway identifier" is taught in '374 col. 7, lines 40-50 as well as FIG. 1 1 
shown below. 
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As to dependent claim 7, "wherein the first and second nodes are customer edge 
nodes in a network and the network supports virtual private networks terminating at the 
customer edge nodes" is shown in '373 col. 6, lines 22-33.. 

As to dependent claim 8, "wherein the network address information identifies a 
single host computer" is disclosed in '373 col. 6, lines 25-27. 

As to dependent claim 9, "wherein the network address information identifies a 
range of host computers that are part of a network coupled to the first node" is taught in 
col. 6, lines 23-27, the Examiner takes Official Notice that the 'range of hosts computer' is well 
known with standard communications over and IP network and customer edge devices. 

As to independent claim 11, this claim is directed to the computer system of the method 
of claim 1; therefore it is rejected along similar rationale. 

As to dependent claims 12-14, and 16, 18-20, these claims contain substantially similar 
subject matter as claims 2-4 and 6-10; therefore they are rejected along similar rationale. 

As to dependent claim 17, "wherein the first and second nodes are customer edge 
nodes in a network configured according to Request For Comment 2547" is taught in '374 
col. 6, lines 22-33. 

As to independent claim 21, this claim is directed to a receiving node of a physical 
network as in claim 1, which is rejected along similar rationale; 
In addition claim 21 contains the limitation: 

"and upon forwarding data messages through the receiving node, utilizing the map 
to identify on which virtual network to forward the data messages through the gateway to 
the destination node" which is taught in '374 col. 7 5 lines 30-56. 
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As to dependent claim 22, "further comprising: upon forwarding data messages 
through the receiving node, utilizing the map to identify on which virtual network to 
forward the data messages through the gateway to the destination node" is shown in '374 
col. 7, lines 30-56. 

As to dependent claim 23, "further comprising: at the receiving node including the 
map, receiving a data message to be forwarded based on a corresponding destination 
address; comparing the destination address and a source address of the data message to 
network address information stored in the map; identifying, based on the destination 
address, how to transmit the data message to the destination node based on a 
corresponding virtual network connection specified in the map" is disclosed in '374 col. 10, 
line 49 through col. 11, line 3. 

As to dependent claim 24, "further comprising: in response to identifying that the 
destination address of the data message matches network address information in the map, 
establishing the corresponding virtual network connection specified in the map on which to 
transmit the data message to the destination node" is shown in '374 col. 7, lines 30-56. 

As to dependent claim 26, "further comprising: in response to identifying that the 
destination address of the data message matches network address information in the map, 
identifying whether a corresponding virtual network connection specified in the map has 

< 

been established and, if so, transmitting the data message on the established virtual 
network connection to the destination node" is disclosed in ' 3 74 col. 14, lines 50-64. 

As to dependent claim 27 and 28, these claims contain substantially similar subject 
matter as claims 8 and 9; therefore they are rejected along similar rationale. 
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As to dependent claim 30, "wherein the gateway is located in the sending node" is 

taught in '374 col. 4, lines 14-27. 

As to independent claim 31, this claim is directed to the computer system of the method 
of claim 21; therefore it is rejected along similar rationale. 

As to dependent claims 32-34 and 36-40, these claims contain substantially similar 
subject matter as claims 22-24 and 26-30; therefore they are rejected along similar rationale. 

As to independent claim 41, this claim is directed to a computer program performing the 
method of claim 1; therefore it is rejected along similar rationale. 

As to independent claim 42, this claim is a means claim performing the method of claim 
1; therefore it is rejected along similar rationale. The means to perform the method is shown in 
the above rejection. 

As to independent claim 43, this claim is directed to a computer program performing the 
method of claim 21 ; therefore it is rejected along similar rationale. 

As to independent claim 44, this claim is a means claim performing the method of claim 
21; therefore it is rejected along similar rationale. The means to perform the method is shown in 
the above rejection. 

As to independent claim 45, this claim is directed to customer edge routers that 
incorporates substantially similar subject matter of the methods of claims 1 and 21; therefore it is 
rejected along similar rationale. 

As to dependent claim 46, "further comprising: generating a map at the second node 
based on the network address information and the corresponding gateway identifier of the 
gateway for routing of messages destined for the at least one host computer via the gateway 
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identifier, the second node supporting forwarding of the messages to the at least one host 
computer through the gateway as specified by the corresponding gateway identifier" is 
taught in '374 col. 7, lines 30-56. 

As to dependent claim 47, "wherein transmitting the notification message to the 
second node includes: transmitting the notification message from a first customer edge 
node through a path including a service provider network to a second customer edge node, 
the second customer edge node configured to utilize the network address information and 
the corresponding gateway identifier to create a map specifying the gateway in the physical 
network as specified by the corresponding gateway identifier on which to forward messages 
from the second customer edge node through the service provider network to the first 
customer edge node to the at least one host computer" is shown in '374 col. 7, lines 30-56. 

As to dependent claim 48, "wherein transmitting the notification message from the 
first customer edge node through the path including the service provider network to the 
second customer edge node includes: transmitting the notification message to a first service 
provider edge router in the service provider network, the first service provider edge router 
configured to distribute the notification message to multiple other service provider edge 
routers in the service provider network" is disclosed in '374 col. 7, lines 40-50 as well as 
FIG. 11. 

As to dependent claim 49, "wherein each of the multiple other service provider edge 
routers in the service provider network is configured to identify which virtual private 
network the corresponding gateway identifier is associated with for purposes of advertising 
the network address information and the corresponding gateway identifier to appropriate 
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customer edge nodes, a given provider edge router of the other service provider edge 
routers configured to receive the notification message from the first service provider edge 
router and forward the network address information and the corresponding gateway 
identifier to the second customer edge router" is taught in '374 col. 7, lines 30-56 

As to dependent claim 50, "wherein the given service provider edge router is 
configured to determine a virtual private network to which the notification message 
pertains based on use of a route target extended community attribute" is shown in '374 col. 
8, lines 30-41. 

Claim Rejections - 35 USC §103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject matter 
sought to be patented and the prior art are such that the subject matter as a whole would have 
been obvious at the time the invention was made to a person having ordinary skill in the art to 
which said subject matter pertains. Patentability shall not be negatived by the manner in which 
the invention was made. 

7. Claims 5, 10, 15, 25, 29, and 51, are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Kompella US Patent No. 7,136,374 (hereinafter '374) in view of Simon et al. 
US Patent No. 7,028,183 (hereinafter '183). 

As to dependent claim 5, the following is not taught in '374: "wherein the first and the 
second nodes are part of a network that does not inherently support encryption services 
and configuration data at the second node at least partially supports encryption of data 
messages forwarded to the at least one host computer through the gateway identified by the 
corresponding gateway identifier" however '183 teaches "Whereas the embodiments which 
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have been described are directed toward relocating the IKE negotiation procedure, in yet another 
embodiment, the IPsec (AH or ESP protocol) processing is moved. This IPsec processing may be 
located in a node referred to herein as an encryption node or in any one of a plurality of 
encryption nodes, where the encryption node(s) may be physically separate from the edge 
routers. Packet filters within the edge routers control which traffic from the end nodes must pass 
to these encryption nodes and which traffic may pass directly (and therefore without encryption 
through the IPsec tunnel) to the destination hosts. In some configurations, these packet filters 
therefore can reduce the amount of traffic that must pass through the encryption nodes, thereby 
reducing the overall cryptographic load. This is in contrast to the prior art, in which the end node 
either transmits all data through the IPsec tunnel or in which the end node is solely responsible 
for selecting which traffic passes through the IPsec tunnel encryption. In particular, the packet 
filters within the edge routers enable the network to enforce cryptographic policies without 
relying on the proper configuration of the end nodes. In this embodiment, the encryption nodes 
may be co-located with cryptographic node processing thus providing the functionality of a 
conventional IPsec endpoint" in col. 9, lines 21-45. 

It would have been obvious to one of ordinary skill in the art at the time of the invention 
a virtual private network enabled to dynamically distribute VPN information taught in 6 3 74 to 
include a means to use nodes that do not inherently support encryption. One of ordinary skill in 
the art would have been motivated to perform such a modification because of the complexity 
introduced by a wireless environment see '183 (col. 4, lines 6 et seq.) "A particular difficulty for 
a distributed or clustered IPsec implementation is distribution of cipher keys. Two serious 
problems arise. First, for IKE negotiation to succeed, all of the IKE packets for establishing the 
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SA must arrive at the same physical node (e.g. edge router); otherwise no SA will be negotiated 
and no encrypted traffic can ever be exchanged . . . Second, once IKE negotiation has produced 
one or more S As, those SAs must be made available to every node (e.g. edge router) that can 
transmit or receive traffic using the associated IP address. That is, the SAs (and their associated 
cipher keys, ESP parameters, and AH parameters) need to be available at any edge router to 
which a mobile wireless end node's traffic is directed, in order for the collection of edge routers 
to provide seamless yet secure connectivity for the mobile end node. Otherwise, packets may 
arrive at nodes at which they cannot be decrypted /encrypted or authenticated, resulting in severe 
problems including significant packet loss and communication breakdown, and in turn, an 
increase in network latency and a decrease in network throughput". 

As to dependent claim 10, "wherein the corresponding gateway identifier is an IPsec 
identity associated with the at least one host computer" however '183 teaches IPsec 
associations in col. 3, lines 41-51. The motivation to combine '374 and '183 is the same as 
stated above in claim 5. 

As to dependent claim 15 and 29, these claims contain substantially similar subject 
matter as claims 5 and 10; therefore they are rejected along similar rationale. 

As to dependent claim 25, "wherein establishing a virtual network connection 
includes establishing a virtual private network connection between the receiving node and 
sending node based on IKE (Internet Key Exchange) protocol and IPsec (Intenet Protocol 
Security)" however '183 teaches IKE key exchange in col. 3, lines 41-44. The motivation to 
combine '374 and '183 is the same as stated above in claim 5. 
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As to dependent claim 51, further comprising maintaining at least one encryption 
key in the map to enable the second customer edge node to identify how to encrypt 
information transmitted to the at least one host computer" however 4 1 83 teaches that the 
edge routers both encrypt and decrypt traffic sent and received, obviously to perform the 
encryption and decryption the edge node contains at least one encryption key in col. 4, lines 42- 
55. The motivation to combine '374 and '183 is the same as stated above in claim 5. 
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